Microsoft releases a one-click ProxyLogon mitigation tool

Welcome to the next episode of the Xopero Security Center. Race against time – that’s the best description of the ProxyLogon situation. First Microsoft has released emergency patches for vulnerable systems. No more than a week later researchers spotted the first ransomware actively exploiting these vulnerabilities. Now users got a one-click ProxyLogon mitigation tool (details below). The keyword is „mitigation” – it mitigates the risk of exploit until the update will be applied. This is not an alternative. The good news – tens of thousands of Microsoft Exchange servers have been patched already. Experts have never seen patch rates this high for any system before. Still, there are about 82k devices vulnerable to the attack. Hence the new tool. Need to find out more? Check the rest of the article.

With this new one-click mitigation tool you can check if ProxyLogon vulnerabilities got to you too

Microsoft has released a one-click Exchange On-premises Mitigation Tool (EOMT) tool to allow small business owners to easily check if their servers are vulnerable to the ProxyLogon vulnerabilities. Recent statistics show that at least 82,000 internet-facing servers are still unpatched and vulnerable to attack. There is still work to do, hence the new tool. The EOMT has been designed to help customers that might not have security or IT staff on hand to help and has been tested across Exchange Server 2013, 2016, and 2019.

It is important to note the tool is not an alternative to patching but should be considered a means to mitigate the risk of exploit until the update has been applied as quickly as possible. 

The ‘EOMT.ps1’ script can be downloaded from Microsoft’s GitHub repository, and when executed, will automatically perform the following tasks:

Mitigates the CVE-2021-26855 Server-Side Request Forgery (SSRF) vulnerability by installing the IIS URL Rewrite module and a regular expression rule that aborts any connections containing the ‘X-AnonResource-Backend’ and ‘X-BEResource’ cookie headers.

Downloads and runs the Microsoft Safety Scanner to remove known web shells and other malicious scripts installed via these vulnerabilities. The script will then remove any malicious files found.

Additionally, admins are advised to also check for indicators of compromise (IOC) in Exchange HttpProxy logs, Exchange log files, and Windows Application event logs.

Source: 1 | 2

New Mirai variant targets SonicWall, D-Link, Netgear and IoT devices

A new variant of the Mirai botnet has been discovered targeting a slew of vulnerabilities in unpatched D-Link, Netgear and SonicWall devices — as well as never-before-seen flaws in unknown internet-of-things (IoT) gadgets.

The attacks leverage a number of vulnerabilities. The known vulnerabilities exploited include: A SonicWall SSL-VPN exploit; a D-Link DNS-320 firewall exploit (CVE-2020-25506); Yealink Device Management remote code-execution (RCE) flaws (CVE-2021-27561 and CVE-2021-27562); a Netgear ProSAFE Plus RCE flaw (CVE-2020-26919); an RCE flaw in Micro Focus Operation Bridge Reporter (CVE-2021-22502); and a Netis WF2419 wireless router exploit (CVE-2019-19356 ).

Patches are available for all of these flaws; the botnet is targeting devices that have not yet applied the available updates.

After successfully compromising a device, the attacker dropped various binaries that let them schedule jobs, create filter rules, run brute-force attacks, or propagate the botnet malware. 

The variant is only the latest to rely on Mirai’s source code, which has proliferated into more than 60 variants since bursting on the scene with a massive distributed denial of service (DDoS) takedown of DNS provider Dyn in 2016.

Source: 12

The curious case of disappearing/deleting Microsoft Teams and SharePoint files

On Monday, Microsoft suffered a massive outage that affected almost all cloud services, including Microsoft 365, Microsoft Teams, Xbox Live, Exchange Online,, and SharePoint. The outage was caused by a configuration issue in the Azure Active Directory service.

That was on Monday… Since Tuesday, numerous Microsoft SharePoint administrators face a new problem – missing files in their clients SharePoint folders. The SharePoint folder structure is still intact, but most or sometimes all of the files are missing. Missing were? Short investigation has shown that these files have been deleted and are now located in SharePoint’s cloud recycle bin, or in some cases, a local PC’s Recycle Bin.

The root of the problem

Microsoft confirmed that the issues are related to its advisories SP244708 (SharePoint) and OD244709 (OnDrive). Both advisories are essentially the same and state that local copies of OneDrive for Business or SharePoint files will be restored after initiating a resync. The cause for both issues is the same as well – Monday’s Azure Active Directory (AAD) outage.

While each advisory states that the outage has caused local data to become unavailable, neither advisory explains why the files are being deleted from SharePoint’s cloud folders and why users continue to see this happening after the outage has been resolved.

And… it is still not the end. To make matters worse numerous Microsoft Teams Free users report that files shared on their channels are no longer accessible on either the desktop or web client.

Image: Bleeping Computer

According to Microsoft Teams Engineering PM Sam Cosby, his team found the cause for the missing files and would be applying mitigations as soon as they can. He did not share what was causing the users’ files to go missing in the first place.


New CopperStealer malware hijacks social media accounts

Researchers with Proofpoint released details on new undocumented malware called CopperStealer. It steals social media logins and spreads more malware.

CopperStealer has many of the same targeting and delivery methods as SilentFade, a Chinese-sourced malware family first reported by Facebook in 2019.

The Copperstealer malware attempts to steal the account passwords to Facebook, Instagram, Google, and other major service providers, according to Proofpoint. The stolen passwords are used to run malicious ads for profit and spread more malware.

Researchers were first alerted to the malware sample in late January. The earliest discovered samples date back to July 2019. 

According to Proofpoint they also identified additional versions that target other major service providers, including Apple, Amazon, Bing, Google, PayPal, Tumblr and Twitter. 

How to protect your social media accounts against CopperStealer? Better turn on two-factor authentication as soon as possible. 


Do you have thirst for knowledge? There are ten more cybersecurity stories below

1. Phishing sites now detect virtual machines to bypass detection (Bleeping Computer)
2. Old Linux storage bugs, new security patches (ZDNet)
3. Google: This Spectre proof-of-concept shows how dangerous these attacks can be (ZDNet)
4. Microsoft’s Azure SDK site tricked into listing fake package (Bleeping Computer)
5. Magecart Attackers Save Stolen Credit-Card Data in .JPG File (Threat Post)
6. Twitter images can be abused to hide ZIP, MP3 files — here’s how (Bleeping Computer)
7. Mimecast Says SolarWinds Attackers Accessed its Source Code Repositories (Dark Reading)
8. Trojanized Xcode Project Slips MacOS Malware to Apple Developers (Threat Post)
9. In just $16, Hackers May Steal User Data Via SMS Attack (E-Hacking News)
10. Millions of People Can Lose Sensitive Data through Travel Apps, Privacysavvy reports (Security Affairs)